Cyber OSINT Overview, Dec 15 - Dec 21, 2025 #

This brief consolidates key updates from 80+ sources, including government organizations, cybersecurity vendors, threat intelligence teams, security research labs, and blogs from cybersecurity communities and professionals. It highlights the most significant threats, vulnerabilities, and developments from the past week to keep you informed.

Most Discussed Topics #

Multiple threat actors are actively exploiting a critical zero-day vulnerability (CVE-2025-20393) in Cisco AsyncOS for Secure Email Gateway and Secure Email and Web Manager. The campaign, attributed to China-linked group UAT-9686, allows unauthenticated remote code execution with root privileges on systems where the Spam Quarantine feature is exposed to the internet. No security patch is currently available, prompting urgent recommendations to restrict management interfaces from public exposure.

gov cyber.gc.ca: Cisco security advisory (AV25-848) – Update 1
news cyberscoop.com: Cisco customers hit by fresh wave of zero-day attacks from China-linked APT
vendor arcticwolf.com: CVE-2025-20393: Threat Campaign Targeting Cisco Secure Email Gateway, Cisco Secure Email and Web Manager
vendor fortiguard.fortinet.com: Cisco AsyncOS Zero-day

Critical authentication bypass vulnerabilities in the FortiCloud SSO login mechanism (CVE-2025-59718 and CVE-2025-59719) are under active exploitation. Attackers utilize crafted SAML messages to gain administrative access, subsequently exporting device configurations that contain hashed credentials. CISA has added CVE-2025-59718 to its Known Exploited Vulnerabilities (KEV) catalog, emphasizing the need for immediate patching or disabling the SSO feature.

gov cyber.gc.ca: AL25-019 - Vulnerabilities impacting Fortinet products - FortiCloud SSO Login Authentication Bypass - CVE-2025-59718 and CVE-2025-59719
gov cert.at: Kritische Sicherheitslücken in mehreren Fortinet-Produkten (FortiCloud SSO) - aktiv ausgenutzt - Updates verfügbar
news bleepingcomputer.com: Over 25,000 FortiCloud SSO devices exposed to remote attacks
vendor arcticwolf.com: Arctic Wolf Observes Malicious SSO Logins on FortiGate Devices Following Disclosure of CVE-2025-59718 and CVE-2025-59719

The React2Shell vulnerability (CVE-2025-55182) has triggered an unprecedented wave of industrialized exploitation, affecting React Server Components and frameworks like Next.js. Researchers note the highest verified public exploit count for any CVE, with attackers deploying automated scanners to drop reverse shells and backdoors. While patching is essential, several hundred machines have already been compromised, requiring post-exploitation monitoring to evict persistent actors.

gov cyber.gc.ca: React security advisory (AV25-834)
news cyberscoop.com: React2Shell fallout spreads to sensitive targets as public exploits hit all-time high
vendor greynoise.io: There's Payloads, And Then There's pAIloads: A Look At Selected Opportunistic (And Possibly AI-"Enhanced") React2Shell Probes and Attacks

Gladinet CentreStack and Triofox products are facing coordinated extortion campaigns targeting unpatched local file inclusion and insecure cryptography vulnerabilities. Threat actors, potentially including the Clop ransomware group, are chaining CVE-2025-14611 and CVE-2025-11371 to extract sensitive configuration files and achieve remote code execution. Organizations are urged to update to version 16.12.10420.56791 or higher to mitigate these risks.

news thecyberexpress.com: CL0P Ransomware Group Targets Gladinet CentreStack in New Campaign
vendor fortiguard.fortinet.com: Gladinet CentreStack & Triofox Insecure Cryptography Vulnerability
vendor huntress.com: Active Exploitation of Gladinet CentreStack/Triofox Insecure Cryptography Vulnerability

A critical UEFI firmware flaw across motherboards from ASUS, Gigabyte, MSI, and ASRock enables pre-boot Direct Memory Access (DMA) attacks. The vulnerability involves a discrepancy where firmware reports DMA protection is active but fails to correctly initialize the IOMMU. This allows physically present attackers to bypass memory protections and inject code before the operating system and its security controls are loaded.

community kb.cert.org: VU#382314: Vulnerability in UEFI firmware modules prevents IOMMU initialization on some UEFI-based motherboards
news bleepingcomputer.com: New UEFI flaw enables pre-boot attacks on motherboards from Gigabyte, MSI, ASUS, ASRock
personal securityaffairs.com: ASRock, ASUS, GIGABYTE, MSI Boards vulnerable to pre-boot memory attacks

Critical Vulnerabilities #

HPE has patched a maximum-severity RCE vulnerability in OneView (CVE-2025-37164) with a CVSS score of 10.0. The flaw allows unauthenticated remote code execution, granting full system compromise in environments managing large-scale IT infrastructure. Administrators should upgrade to version 11.00 or apply security hotfixes for older versions immediately.

gov cyber.gc.ca: HPE security advisory (AV25-844)
vendor socradar.io: Max-Severity RCE Patched in HPE OneView (CVE-2025-37164)

WatchGuard Fireware OS contains a critical out-of-bounds write vulnerability (CVE-2025-14733) in its ‘iked’ process. The flaw affects IKEv2 VPN services configured with a dynamic gateway peer, allowing unauthenticated remote code execution. WatchGuard has confirmed active exploitation and urges immediate patching to prevent gateway compromise.

gov cyber.gc.ca: WatchGuard security advisory (AV25-850) – Update 1
news bleepingcomputer.com: New critical WatchGuard Firebox firewall flaw exploited in attacks

A critical privilege escalation flaw in SonicWall SMA1000 series (CVE-2025-40602) is being exploited in the wild. Threat actors are chaining this medium-severity flaw with a critical RCE vulnerability (CVE-2025-23006) to gain root-level access. CISA has added the vulnerability to its KEV catalog, requiring federal agencies to patch affected systems promptly.

gov cyber.gc.ca: SonicWall security advisory (AV25-845) – Update 1
vendor socradar.io: CVE-2025-40602: SonicWall SMA1000 Vulnerability Actively Exploited

Apple and Google have issued emergency patches for two actively exploited WebKit and ANGLE graphics library vulnerabilities (CVE-2025-43529 and CVE-2025-14174). These zero-days allow arbitrary code execution or memory corruption when processing malicious web content. The flaws have been used in highly sophisticated targeted attacks against specific individuals.

gov cyber.gc.ca: Apple security advisory (AV25-837)
vendor socradar.io: CVE-2025-43529 & CVE-2025-14174: Apple and Google’s Zero-Day Patches
vendor cisecurity.org: Multiple Vulnerabilities in Apple Products Could Allow for Arbitrary Code Execution

Major Incidents #

The University of Sydney confirmed a data breach resulting from unauthorized access to an internal code repository. The incident exposed personal information of over 20,500 current and former staff, plus historical data for 5,000 students and alumni dating back to 2010. While the system was secured quickly, it highlights the risks of storing sensitive historical data in development environments.

news therecord.media: University of Sydney reports data breach affecting over 20,000 staff, affiliates

U.S. credit check provider 700Credit suffered a third-party supply-chain attack affecting approximately 5.6 million people. Attackers exploited an API shared with a compromised partner to steal names, dates of birth, and Social Security numbers collected between May and October 2025. The incident demonstrates the critical need for robust API security and partner incident notification protocols.

news malwarebytes.com: SoundCloud, Pornhub, and 700Credit all reported data breaches, but the similarities end there

The Indian government confirmed a series of GPS spoofing incidents targeting seven major airports, including Delhi and Mumbai. The attacks disrupted navigation data for aircraft using GPS-based landing procedures. While Air Traffic Control safeguards prevented flight cancellations, the incident underscores the vulnerability of aviation infrastructure to electronic warfare tactics.

vendor research.checkpoint.com: 15th December – Threat Intelligence Report

Emerging Threats #

Docker’s ‘Ask Gordon’ AI assistant was found vulnerable to indirect prompt injection via metadata poisoning on Docker Hub. Attackers could hide malicious instructions in repository descriptions, tricking the assistant into exfiltrating private build logs and chat history. Docker has addressed the ’lethal trifecta’ of risks in version 4.50.0 by introducing human-in-the-loop permission prompts.

news hackread.com: Docker Fixes ‘Ask Gordon’ AI Flaw That Enabled Metadata-Based Attacks

The ‘Urban VPN Proxy’ browser extension, with over 8 million users, was discovered harvesting personal AI chat conversations from platforms like ChatGPT and Gemini. A July 2025 update introduced code that silently exfiltrates prompt and response data to a data broker for marketing analytics. This highlight a growing trend where privacy-marketed tools serve as covert data harvesting mechanisms.

news malwarebytes.com: Chrome extension slurps up AI chats after users installed it for privacy

Amazon unmasked a North Korean threat actor operating as a remote tech worker by detecting an abnormal 110ms keyboard lag. The operative, likely linked to the Lazarus Group, used an ‘Arizona laptop farm’ to appear domestic while attempting to siphon credentials. This incident marks a surge in sophisticated corporate infiltration attempts by state actors funding illicit programs.

news hackread.com: Keyboard Lag Leads Amazon to North Korean Impostor in Remote Role

China-aligned threat actor Ink Dragon is building victim-based relay networks by converting compromised IIS servers into communication nodes. Using a custom ShadowPad listener, the group effective masks C2 traffic by proxying commands through a distributed mesh of victim networks. This modular approach allows for high levels of stealth and persistent access across government and telecom sectors.

vendor research.checkpoint.com: Inside Ink Dragon: Revealing the Relay Network and Inner Workings of a Stealthy Offensive Operation

Regulatory and Policy Updates #

The U.S. Sentencing Commission has proposed new preliminary guidelines for criminal offenses under the Take It Down Act. The law criminalizes the distribution of nonconsensual deepfake pornography, providing maximum sentences of up to 30 months for digital forgery involving minors. Public comments on the proposed definitions for ‘intimate visual depictions’ are being accepted through February 2026.

news cyberscoop.com: U.S. Sentencing Commission seeks input on criminal penalties for deepfakes

India’s Digital Personal Data Protection (DPDP) Act is fundamentally altering the regional risk landscape by mandating immediate breach notifications. Compliance obligations now apply to any data exposure, including misconfigurations, transforming operational errors into significant legal and financial liabilities. This shift is driving a restructuring of the Indian cyber insurance market as coverage limits are frequently exceeded.

news thecyberexpress.com: Beyond Compliance: How India’s DPDP Act Is Reshaping the Cyber Insurance Landscape

A Texas judge has issued a first-of-its-kind temporary restraining order against smart TV manufacturer Hisense over data collection practices. The order bars the use of Automated Content Recognition (ACR) technology to record and sell viewer habits without explicit consent. This follows lawsuits against five TV makers alleging deceptive practices under the Texas Deceptive Trade Practices Act.

news therecord.media: Smart TV manufacturer ordered to stop collecting viewer data while court case proceeds in Texas

Security Operations #

The industry is shifting from siloed security tools toward unified ‘platformization’ to address visibility gaps and operational drag. Leaders emphasize that engineering a comprehensive platform across endpoints, networks, and data protection reduces the cognitive overhead of ‘console jumping.’ Unified telemetry allows for faster correlation and execution on insights that traditional, fragmented SIEM models often bury.

vendor security.com: Are Your Tools Working Against You?

Detection engineers are highlighting a gap in LDAP reconnaissance monitoring, noting that code-level OIDs are often transformed into bitwise operators in Windows logs. Most detection rules fail because they search for OID strings rather than the bitwise operator ‘&’ logged by Domain Controllers. Effective hunting requires enabling specific diagnostic logging (Event ID 1644) and focusing on the logical structure of queries.

vendor huntress.com: The OID Problem: Writing LDAP Detections That Actually Work

Enterprises are re-evaluating public cloud strategies in favor of private cloud environments due to escalating global outages and rising costs. While public clouds offer convenience, single-point-of-failure risks and diminished economic benefits are driving a move back to infrastructure under direct organizational control. This ‘cloud-native to AI-native’ transition requires tighter integration of security and sovereign data management.

vendor security.com: Have We Reached a Public Cloud Tipping Point?

Wins #

The DOJ has indicted 54 individuals belonging to the Tren de Aragua gang for a massive ATM jackpotting scheme. The ring used Ploutus malware to drain millions from ATMs across the US, including targeting dozens of credit unions. This coordinated law enforcement action involved federal and state agencies using financial tracking to follow the trail back to leaders in Venezuela.

news therecord.media: DOJ charges gang for ATM hacks using Ploutus malware

International authorities seized the infrastructure of E-Note, a cryptocurrency exchange used to launder illicit funds for ransomware operators. The service allegedly moved over $70 million since 2017, providing cash-out routes for criminals targeting healthcare and critical infrastructure. The coordinated takedown included servers, mobile applications, and customer databases obtained by US, German, and Finnish agencies.

news cyberscoop.com: DOJ announces takedown of alleged laundering platform used by cybercriminal groups

Nigerian police arrested the alleged developer of the RaccoonO365 phishing-as-a-service platform following intelligence tips from Microsoft and the FBI. The platform was responsible for compromising at least 5,000 Microsoft 365 accounts across 94 countries. The arrest represents a successful outcome of private-public partnerships aimed at dismantling cybercrime ecosystems.

news therecord.media: Nigeria arrests suspected RaccoonO365 phishing kit developer on tip from Microsoft, FBI

Disclaimer #

The summaries in this brief are generated autonomously by a LLM based on provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.

The brief is created in collaboration with BlackStork and is based on a free template.

Reach out if you have questions or suggestions.

December 21, 2025